Authenticated session replication

ABSTRACT

Apparatus, systems, and methods may operate to receive, at an authentication agent in a first local area network (LAN), a virtual proxy authentication identification from a virtual proxy serving as a single point of trust for a second LAN across a wide area network. The virtual proxy authentication identification may be included in a modified session message originated within the second LAN. As a result, the apparatus, systems, and methods can operate to transmit content associated with the modified session message to a first plurality of individual proxy modules in the first LAN. Additional apparatus, systems, and methods are disclosed.

RELATED APPLICATIONS

The present application claims priority to India Patent Application No.754/DEL/2007 filed in the India Patent Office on Apr. 4, 2007 andentitled “AUTHENTICATED SESSION REPLICATION;” the disclosure of which isincorporated by reference herein.

FIELD

The embodiments disclosed herein relate generally to data processing,including network session authentication and replication.

BACKGROUND

Data is collected, organized, and processed for virtually everytransaction and communication that occurs in today's global economy. Theintegrity of this information (e.g., the authenticity and/or security ofa message) has become important to enterprises and individuals.Consequently, a variety of techniques for securing and replicatinginformation processing sessions exists in the industry, such as whensessions are distributed across a wide area network (WAN).

Session distribution may include exchanging messages betweenparticipating members in a cluster, such as session creation, sessiondestruction, session timeouts, and session ownership changes. Sessiondistribution may include session replication, in turn, via broadcastingreplicated session messages. However, as the number of servers and/orservices in the cluster increase, the message traffic due to replicationoperations can also increase, sometimes exponentially.

This is because, in a cluster push model, every new session isreplicated to every server in the cluster, across all WANs and LANs,since a session request can go to any of the members in the cluster.That is, authenticated sessions are replicated across the servers in thecluster, so that if a switch fails-over a user session from one proxyservice on the server to another, there is no need to re-authenticate.

For example, when a proxy service sends messages from one LAN to anotherLAN across a WAN, the result can be a large number of sessionreplication message transmissions across the WAN, the numberdramatically increasing with the number of proxy servers. The latency ofauthentication session replication also increases with the number ofproxy servers. It is the potential for such increases in message trafficand latency that generate a need for improved session replicationtechniques.

SUMMARY

In various embodiments, apparatus, systems, and methods for sessionreplication are provided. For example, in some embodiments,authenticated session replication includes receiving, at anauthentication agent in a first LAN, a virtual proxy authenticationidentification from a virtual proxy serving as a single point of trustfor a second LAN across a WAN. The virtual proxy authenticationidentification may be included in a modified version of a sessionmessage originated in the second LAN.

Some embodiments further include transmitting content associated withthe modified session message only to a first plurality of individualproxy modules in the first LAN. Other embodiments are also described,and along with the foregoing example, will be set forth in detail below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram illustrating authenticated session replicationmethods according various embodiments of the invention.

FIG. 2 is another flow diagram illustrating authenticated sessionreplication methods according various embodiments of the invention.

FIG. 3 is a block diagram of an authenticated session replicationapparatus according various embodiments of the invention.

FIG. 4 is a block diagram of an authenticated session replication systemaccording various embodiments of the invention.

DETAILED DESCRIPTION

Some of the challenges described above may be addressed by usingrepresentative LAN virtual agents to implement authenticated sessionreplication for clusters spanning a WAN and a plurality of LANs. LANvirtual agents, unique to each WAN endpoint, may be incorporated torepresent sessions originating from their associated LAN within acluster. By assigning a unique identification to each virtual agent,which in turn owns all sessions originating within its associated LAN,the overhead associated with trust establishment can be reduced. Thus, acluster of servers can span a WAN to implement authenticated sessionreplication without dramatically increasing WAN link utilization andsession replication latency.

In many embodiments that make use of virtual agents, a uniqueauthentication agent and virtual proxy are assigned to every LAN segmentin the cluster. Thus, to the authentication agent in a particular LANsegment, only one virtual proxy is visible in every other LAN segment.Thus, even if a particular LAN segment has “N” individual proxies,authentication agents looking to communicate with that segment will seeonly a single virtual proxy. Any new session created within a LANsegment by any individual proxy in that segment will therefore be seenas a session created by the unique virtual proxy that represents thatsegment.

As a concrete example, if each of 50 LAN segments are connected by aWAN, with 20 servers in each LAN segment, a single session might bereplicated on roughly 1000 servers across the WAN using prior schemes(that do not implement the LAN virtual agents as described herein), suchthat trust between the various entities will be establishedapproximately 1000 times. However, if virtual agents are used in themanner described, each authentication agent may operate to replicate thesession for only 49 servers across the WAN, and 20 servers within itsown LAN segment. This reduction of approximately fifteen times appliesto both the number of replicated sessions, as well as to the number oftrusted entities.

As used herein, an “authentication agent” comprises an authenticatedsession repository and a broker that broadcasts proxy session messagesfrom an originating individual proxy within its own LAN segment to allother participating virtual proxies in a cluster, as well as to theother individual proxies within its own (the same) LAN segment. However,the authentication agent does not transmit such messages to the virtualproxy within the same LAN segment.

A “cluster” comprises a set of proxy servers fronted by a layer four(L4) switch. Layer four represents the fourth, or transport, layer ofthe Open Systems Interconnection (OSI) network communication model.

A “proxy” (e.g., an individual proxy) operates to authenticate a userthat is not yet in the session and to pass the authenticationinformation to the authentication agent, which distributes theinformation to all of the virtual proxies (except the virtual proxywithin its own LAN segment) in the cluster, as well as to individualproxies within its own LAN segment.

A “virtual proxy” or virtual agent comprises a representative proxy ofall the proxies in a selected LAN segment belonging to the cluster. Ingeneric terms, the virtual proxy operates as an agent, as that term isknown to those of ordinary skill in the art.

A “LAN segment” comprises a set of individual proxies, an authenticationagent, and a virtual proxy agent that are coupled to a single LAN,typically with high bandwidth connectivity among the component elements.

“Session replication messages” or session messages comprise sessioncreation messages, session destruction messages, session timeoutmessages, and session ownership messages. A “session creation message”is created for a new session by a proxy after authenticating a user.This message is propagated to authentication agents. A “sessiondestruction message” indicates session destruction due to a logoutevent, created by the proxy to which the user logs out. This message ispropagated to authentication agents for a global logout. A “sessiontimeout message” indicates the proxy that created the session has timedout the session, and this message is propagated to authentication agentsin the cluster. A “session ownership change message” indicates that asession is now in use in another proxy. The originating proxy has timedout and all proxies need to change their records of session ownership toindicate the proxy where the session is currently in use.

When a trusted entity operates as a “single point of trust,” this meansthat the trusted entity functions as a secure authentication mechanism,so as to securely authenticate one group of entities (e.g., individualproxies within a LAN), and then to serve as a single source thatrepresents the fact of their authentication to a second group ofentities (e.g., a group of virtual proxies).

Various embodiments of the invention can be implemented in existingnetwork architectures, directory services, security systems, storageinterfaces, operating systems, file systems, backup systems, replicationsystems, and/or communication devices. For example, in some embodiments,the techniques presented herein are implemented in whole or in partusing Novell® network services, proxy server products, email products,operating system products, and/or directory services productsdistributed by Novell, Inc., of Provo, Utah.

Embodiments of the invention can therefore be implemented in a varietyof architectural platforms, operating and server systems, devices,systems, or applications. Any particular architectural layout orimplementation presented herein is thus provided for purposes ofillustration and comprehension only, and is not intended to limit thevarious embodiments.

FIG. 1 is a flow diagram illustrating authenticated session replicationmethods 111 according various embodiments of the invention. The methods111 are implemented in a machine-accessible and readable medium. Thesession replication methods 111 are operational over processes withinand among networks. The networks may be wired, wireless, or acombination of wired and wireless. The methods 111 may be implemented asinstructions, which when accessed by a machine, perform the processingdepicted in FIG. 1. Given this context, authenticated sessionreplication is now discussed with reference to FIG. 1.

To set up a foundation that can be used to establish a circle of trustaccording to various embodiments, an authenticated session replicationmethod 111 may begin at block 121 with populating a configurationdatabase with information regarding a trust relationship between avirtual proxy, a plurality of individual proxy modules, and anauthentication agent within a LAN or LAN segment.

Here, a unique identification is assigned to every virtual proxyassociated with a WAN endpoint. In this manner, the configurationdatabase is populated with information so that each individual proxymodule within a LAN or LAN segment knows the authentication agent thatit will connect to and trust, each authentication agent understands theindividual proxy modules (within its own LAN or LAN segment) and thevirtual proxies that it trusts, and the virtual proxies know all theauthentication agents that they will connect to and trust. The pluralityof individual proxy modules, the LAN or LAN segment authenticationagent, and the virtual proxies can thus read the configuration database,when they are launched, to establish trust among themselves.

In this way, the authentication agent in a LAN segment can establish acircle of trust with all the participating virtual proxies, so thatevery session associated with an authenticated user in the cluster canbe trusted by the authentication agent. Thus, when a session creationmessage is received by an authentication agent from a virtual proxy fromanother LAN or LAN segment across a WAN, the source of the message (anindividual proxy) will be trusted by the authentication agent, eventhough there is no direct trust relationship between the authenticationagent and the individual proxy that created the session.

In some embodiments, authentication agents will be able to access anassociated list of approved internet protocol (IP) addresses and portsin the configuration database. The members of this list may be selectedby a system administrator. If a virtual proxy thereafter connects to anapproved IP address and port then it will be trusted. A similar processoccurs with the virtual proxies and their trusted authentication agents.In this manner, the virtual proxies can access information as to the IPaddress and port that should be used to connect to a particularauthentication agent. Thus, session messages received at anauthentication agent from a virtual proxy connected to an approved IPaddress and port will be trusted.

All sessions are uniquely identified by the individual proxy thatauthenticates them. A proxy that creates an authenticated session hasthe rights to destroy it. Thus, the method 111 may include receiving alocal proxy authentication identification (LPAI) associated with one ofa first plurality of individual proxy modules within a first LAN or LANsegment at block 125.

Receiving the LPAI at block 125 may include reading the LPAI from theconfiguration database and associating the LPAI with a session messagecreated by one of the first plurality of individual proxy modules withina LAN or LAN segment.

Each created session is thereby associated with information, perhapscomprising a record that has a fixed format. The record may include thetype of the message, the identification of the originating proxy for themessage (e.g., the LPAI), and then the message itself (which has its ownformat as well). The virtual proxy can then replace the identificationof the originating proxy in the record with its own identification whentransmitting the message to authentication agents outside the LAN or LANsegment.

Thus, the method 111 may continue with replacing the LPAI with a virtualproxy authentication identification (VPAI) associated with the uniquevirtual proxy within the first LAN or LAN segment at block 129. Thevirtual proxy can thereby serve as single point of trust across a WANfor session messages emanating from the first plurality of individualproxy modules.

Thus, any session message or record received from any of the individualproxy modules can have the LPAI replaced with the VPAI to provide amodified session message before transmission to authentication agentsacross the WAN using the approved IP address and port. Any modifiedsession message received from any of the virtual proxies at anauthentication agent in a particular LAN or LAN segment is then sentonly to the individual proxy modules in the LAN or LAN segment (whenreceived via an approved IP address and port), and not propagated toother virtual proxy agents. In this manner, any authentication agentreceiving a message has established trust with the virtual proxy thatsends it, so as to accept the message ownership and replicate themessage content. A direct trust relationship between the authenticationagent and the individual creating proxies in other LANs is not needed.

Therefore, when a session message passes from a LAN Segment through itsvirtual proxy to other LAN Segments across a WAN, the virtual proxy canmodify the originator identification (of the individual proxy thatcreated the session) to the unique identification of the virtual proxy.In this way, establishing trust between each authentication agent, theplurality of individual proxies in its associated LAN segment, and thevirtual proxies across WAN segments is sufficient to accomplishauthenticated session replication within the cluster. The transformationof the authentication identification (from that of the creatingindividual proxy to that of the virtual proxy) within a LAN segmentrelieves components in other LAN Segments from needing specificknowledge of the existence of individual proxies in every segment.

The method 111 may go on to include transmitting the VPAI (usually, butnot necessarily, as part of a session message) across the WAN to anauthentication agent in a second LAN or LAN segment at block 133. TheVPAI is also transmitted to the other authentication agents representingother LANs in the cluster. The method 111 may thus continue withreceiving, at an authentication agent in the second LAN or LAN segment,the VPAI in a modified one of the session messages from the virtualproxy across the WAN at block 137. The method 111 may conclude withtransmitting content associated with the modified session message onlyto a second plurality of individual proxy modules in the second LAN orLAN segment at block 141.

FIG. 2 is another flow diagram illustrating authenticated sessionreplication methods 251 according various embodiments of the invention.In this case, authenticated session replication is described morespecifically with respect to propagating modified messages among virtualproxies and authentication agents. The methods 251 are implemented in amachine-accessible and readable medium. The session replication methods251 are operational over processes within and among networks. Thenetworks may be wired, wireless, or a combination of wired and wireless.The methods 251 may be implemented as instructions, which when accessedby a machine, perform the processing depicted in FIG. 2.

At block 261, the method 251 may include assigning unique virtualproxies to connection endpoints (e.g., LAN segments) of a WAN. Themethod 251 may continue with assigning a VPAI to each virtual proxy as aunique identity across the WAN at block 265.

Uniqueness may be established when the connection endpoints comprisetransmission control protocol (TCP) endpoints, such that combinations ofIP addresses and TCP ports for the connection endpoints are used toestablish trust between peers. This mechanism has been described above.However, the various embodiments are not to be so limited. For example,uniqueness may also be established when the connection endpointscomprise secure socket layer (SSL) endpoints, and server certificatesand/or client certificates are used to establish trust between peers.

The method 251 may go on to include, at block 269, modifying a sessionmessage from one of a second plurality of individual proxy modules in asecond LAN or LAN segment according to the VPAI associated with thevirtual proxy in that LAN or LAN segment to provide a modified sessionmessage. Once the session message has been modified, the method 251 mayinclude receiving, at an authentication agent in a first LAN or LANsegment, the VPAI from the virtual proxy serving as a single point oftrust for the second LAN or LAN segment across a WAN at block 273. Thevirtual proxy will also send the VPAI and modified session message tothe other authentication agents representing other LANs in the cluster.The method 251 may also include repeating the receiving to replicatesessions created in the second LAN or LAN segment and authenticated byits virtual proxy.

The method 251 may include transmitting content associated with the VPAIand the modified session message (originated within the second LAN orLAN segment) only to a first plurality of individual proxy modules inthe first LAN or LAN segment at block 277. The method 251 may alsoinclude transmitting the content directly from the authentication agentto the first plurality of individual proxy modules.

In some embodiments, the method 251 may include, at block 281,communicating information regarding a session associated with themodified session message from the virtual proxy to the authenticationagent. The method 251 may also include, at block 285, replicating theinformation within the first LAN or LAN segment using the firstplurality of individual proxy modules trusted by the authenticationagent.

FIG. 3 is a block diagram of an authenticated session replicationapparatus 300 according various embodiments of the invention. Theauthenticated session replication apparatus 300 is implemented in amachine-accessible and readable medium and is operational over one ormore networks (e.g., the LAN 318 and the WAN 338). The networks may bewired, wireless, or a combination of wired and wireless. Theauthenticated session replication apparatus 300 implements, among otherthings, the processing associated with the authenticated sessionreplication methods 111 and 251 of FIGS. 1 and 2, respectively.

Turning now to FIG. 3, it can be seen that in some embodiments theauthenticated session replication apparatus 300 comprises a virtualproxy VP within a LAN 318, and an authentication agent AA within the LAN318. The virtual proxy VP and/or the authentication agent AA may beimplemented in one or more machine accessible media to process on one ormore machines within the LAN. The authentication agent AA, in turn, isto couple to a plurality of individual proxy modules IPM1, IPM2, . . . ,IPMN within the LAN 318. That is, the authentication agent AA processeswithin the LAN and communicates with the individual proxy modules IPM1,IPM2, . . . , IPMN within the LAN 318. The virtual proxy VP is torepresent all of the plurality of individual proxy modules IPM1, IPM2, .. . , IPMN as a single point of trust across the WAN 338 toauthentication agents (not shown in FIG. 3, but see element AA2 in FIG.4) outside the LAN segment 318.

The apparatus 300 may comprise an execution element 310, such as aswitch (e.g., an L4 switch), a server, a terminal, a personal computer,a workstation, or any combination of these, coupled together within aLAN 318. Modules may comprise hardware, software, and firmware, or anycombination of these.

The execution element 310 may comprise a single entity, or severalentities in communication with one another, such as one or more Novell®BorderManager® (NBM) proxy servers, Novell® Access Manager™ Linux®Access Gateways, or any intermediary that checks for and accomplishesauthentication in a cluster spanning links across a WAN. Thus, in somecases, the virtual proxy VP and the authentication agent AA may beincluded in a single server.

In some embodiments, the virtual proxy VP is to modify a local sessionmessage (LSM) 322 received from any one of the plurality of individualproxy modules IPM1, IPM2, . . . , IPMN according to a VPAI associatedwith the virtual proxy VP to provide a modified session message (MSM)326. Thus, as described above, the virtual proxy VP may operate toreplace an LPAI associated with the LSM 322 with a VPAI associated withthe virtual proxy VP. It should be noted, however, that the modificationof the LPAI to provide a VPAI may or may not include direct replacement(e.g., encoding or encrypting via bit manipulation, such as shifting andother numeric operations, may be used), depending on the design of aparticular apparatus 300.

In some embodiments, the apparatus 300 may comprise a memory 334 (e.g.,a database DB) to store a configuration, including protocols and portsassociated with the plurality of individual proxy modules IPM1, IPM2, .. . , IPMN and their respective LPAIs. The configuration, as describedabove, enables the authentication agent AA to communicate with aselected one of the other virtual proxies (not shown, but see elementVP2 in FIG. 4) in any selected LAN or LAN segment across the WAN 338.The plurality of individual proxy modules IPM1, IPM2, . . . , IPMN alsohave access to the memory 334.

FIG. 4 is a block diagram of an authenticated session replication system406 according various embodiments of the invention. The authenticatedsession replication system 406 is implemented in a machine-accessibleand readable medium and is operational over one or more networks (e.g.,LANs 418 and WAN 438). The networks may be wired, wireless, or acombination of wired and wireless. The authenticated session replicationsystem 406 includes multiple instances of the apparatus 400 (similar toor identical to the apparatus 300 shown in FIG. 3), and implements,among other things, the processing associated with the authenticatedsession replication methods 111 and 251 of FIGS. 1 and 2, respectively.

Turning now to FIG. 4, it can be seen that an authenticated sessionreplication system 406 may comprise a first plurality of individualproxy modules 414 within a first LAN or LAN segment, as well as a firstauthentication agent AA1 in the first LAN or LAN segment to receive afirst modified session message MSM1 having a VPAI (VPAI=VP2) identifyinga second virtual proxy VP2 outside the first LAN or LAN segment acrossthe WAN 438. The first authentication agent AA1 is to transmit contentCONT2 associated with the first modified session message MSM1 only tothe first plurality of individual proxy modules 414.

With respect to authentication operations, the system 406 comprises asingle cluster. The first plurality of individual proxy modules 414 maybe included in a corresponding plurality of individual servers, or in asingle server, or be distributed among some selected number of serverswherein some of the individual proxy modules 414 are included togetherin some servers, and others are included as single entities in singleservers.

In some embodiments, the system 406 comprises a first virtual proxy VP Iwithin the first LAN or LAN segment to receive a local session messageLSM1 from any of the first plurality of individual proxy modules 414.The first virtual proxy VP1 is used to transmit a second modifiedsession message MSM2 to a second authentication agent AA2 in a secondLAN or LAN segment across the WAN 438 after modifying the local sessionmessage LSM1 to provide the second modified session message MSM2identifying the first virtual proxy VP1. Similarly, to transmit thefirst modified message MSM1 to the first authentication agent AA1, thesystem 406 may include a second virtual proxy VP2 in the second LAN orLAN segment. The modified session message MSM1 is sent to allauthentication agents (including authentication agent AA1) that are notlocated in the LAN or LAN segments where the local message LSM2, uponwhich it is based, originated. Similarly, the modified session messageMSM2 is sent to all authentication agents (including authenticationagent AA2) that are not located in the LAN or LAN segments where thelocal message LSM1, upon which it is based, originated.

Thus, as described previously, the LPAI (e.g., LPAI=IPM2) in the localsession message LSM1 having a specified protocol is to be replaced by aVPAI (e.g., VPAI=VP1) associated with the first virtual proxy VP1 toprovide the second modified session message MSM2. After transmission tothe authentication agents representing the various LAN segments in thecluster, the second authentication agent AA2 can be used to transmitcontent CONT1 associated with the second modified session message MSM2only to a second plurality of individual proxy modules 416 in the secondLAN or LAN segment.

Implementing the apparatus, systems, and methods described herein maythus provide a dramatic reduction in the number of replicated sessionsacross a WAN. The message traffic across the LAN may also be reduced,with a commensurate reduction in system communication latency.

This Detailed Description is illustrative, and not restrictive. Manyother embodiments will be apparent to those of ordinary skill in the artupon reviewing this disclosure. The scope of embodiments shouldtherefore be determined with reference to the appended claims, alongwith the full scope of equivalents to which such claims are entitled.

The Abstract of the Disclosure is provided to comply with 37 C.F.R.§1.72(b) and will allow the reader to quickly ascertain the nature ofthe technical disclosure. It is submitted with the understanding that itwill not be used to interpret or limit the scope or meaning of theclaims.

In this Detailed Description of various embodiments, a number offeatures are grouped together in a single embodiment for the purpose ofstreamlining the disclosure. This method of disclosure is not to beinterpreted as an implication that the claimed embodiments have morefeatures than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive subject matter lies in less than allfeatures of a single disclosed embodiment. Thus the following claims arehereby incorporated into the Detailed Description, with each claimstanding on its own as a separate embodiment.

1. An apparatus, comprising: A virtual proxy implemented in a machineaccessible medium to process on at least one machine within a local areanetwork (LAN); and an authentication agent to process within the LAN andto communicate with a plurality of individual proxy modules within theLAN, wherein the virtual proxy is to represent each of the plurality ofindividual proxy modules as a single point of trust across a wide areanetwork (WAN) to authentication agents outside the LAN.
 2. The apparatusof claim 1, wherein the virtual proxy is to modify a local sessionmessage received from any one of the plurality of individual proxymodules according to a virtual proxy authentication identificationassociated with the virtual proxy to provide a modified session message.3. The apparatus of claim 2, wherein the virtual proxy is to replace alocal proxy authentication identification used with the local sessionmessage with the virtual proxy authentication identification associatedwith the virtual proxy module.
 4. The apparatus of claim 1, wherein theapparatus comprises a server including the virtual proxy and theauthentication agent.
 5. The apparatus of claim 1, further comprising: amemory to store a configuration including protocols and ports associatedwith the plurality of individual proxy modules and their respectivelocal proxy authentication identifications.
 6. The apparatus of claim 1,wherein the authentication agent is to communicate with a selected oneof the other virtual proxies in any selected location across the WAN. 7.A system, comprising: a first plurality of individual proxy moduleswithin a first local area network (LAN); and a first authenticationagent implemented in a machine accessible medium to process on at leastone machine within the first LAN and to receive a first modified sessionmessage having a virtual proxy authentication identification to identifya second virtual proxy located in a second LAN outside the first LANacross a wide area network (WAN), wherein the first authentication agentis to transmit content associated with the first modified sessionmessage to the first plurality of individual proxy modules.
 8. Thesystem of claim 7, wherein each of the first plurality of individualproxy modules are included in a corresponding different server.
 9. Thesystem of claim 7, further comprising: a first virtual proxy within theLAN to receive a local session message from any of the first pluralityof individual proxy modules, and to transmit a second modified sessionmessage to a second authentication agent in a second LAN across the WANafter modifying the local session message to provide the second modifiedsession message identifying the first virtual proxy.
 10. The system ofclaim 9, wherein a local proxy authentication identification in thelocal session message having a specified protocol is to be replaced bythe virtual proxy authentication identification associated with thefirst virtual proxy to provide the second modified session message. 11.The system of claim 9, further comprising: the second authenticationagent to transmit content associated with the second modified sessionmessage just to a second plurality of individual proxy modules in thesecond LAN.
 12. A method, comprising: receiving a local proxyauthentication identification associated with one of a first pluralityof individual proxy modules within a first local area network (LAN); andreplacing the local proxy authentication identification with a virtualproxy authentication identification associated with a virtual proxywithin the first LAN, the virtual proxy to serve as single point oftrust across a wide area network (WAN) for session messages from thefirst plurality of individual proxy modules.
 13. The method of claim 12,further comprising: transmitting the virtual proxy authenticationidentification across the WAN to an authentication agent in a secondLAN, and to other authentication agents representing other LANs.
 14. Themethod of claim 12, further comprising: receiving, at an authenticationagent in a second LAN, the virtual proxy authentication identificationin a modified one of the session messages from the virtual proxy acrossthe WAN; and transmitting content associated with the modified one ofthe session messages just to a second plurality of individual proxymodules in the second LAN.
 15. The method of claim 12, comprising:reading the local proxy authentication identification from aconfiguration database; and associating the local proxy authenticationidentification with one of the session messages.
 16. The method of claim15, comprising: populating the configuration database with informationregarding a trust relationship among the virtual proxy, the firstplurality of individual proxy modules, and an authentication agent in asecond LAN.
 17. A method, comprising: receiving, at an authenticationagent in a first local area network (LAN), a virtual proxyauthentication identification from a virtual proxy serving as a singlepoint of trust for a second LAN across a wide area network (WAN); andtransmitting content associated with a modified session messageoriginated within the second LAN and a virtual proxy authenticationidentification just to a first plurality of individual proxy modules inthe first LAN.
 18. The method of claim 17, wherein the transmittingfurther comprises: transmitting the content directly from theauthentication agent to the first plurality of individual proxy modules.19. The method of claim 17, further comprising: modifying a sessionmessage from one of a second plurality of individual proxy modules inthe second LAN with the virtual proxy authentication identification toprovide the modified session message.
 20. The method of claim 17,further comprising: repeating the receiving to replicate sessionscreated in the second LAN and authenticated by the virtual proxy. 21.The method of claim 17, further comprising: assigning the virtual proxyauthentication identification as a unique identity across the WAN. 22.The method of claim 17, further comprising: assigning unique virtualproxies, including the virtual proxy, to connection endpoints of theWAN.
 23. The method of claim 22, wherein the connection endpointscomprise transmission control protocol (TCP) endpoints, and combinationsof Internet Protocol (IP) addresses and TCP ports for the connectionendpoints are used to establish trust between peers.
 24. The method ofclaim 22, wherein the connection endpoints comprise secure socket layer(SSL) endpoints, and at least one of server certificates and clientcertificates are used to establish trust between peers.
 25. The methodof claim 17, further comprising: communicating information regarding asession associated with the modified session message from the virtualproxy to the authentication agent; and replicating the informationwithin the first LAN using the first plurality of individual proxymodules trusted by the authentication agent.